Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14OTVoLTk3OXgtY2Yzas0Wmg
Policies not properly enforced in bluemonday
The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python (in pybluemonday), does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.
Permalink: https://github.com/advisories/GHSA-x95h-979x-cf3jJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14OTVoLTk3OXgtY2Yzas0Wmg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
Identifiers: GHSA-x95h-979x-cf3j, CVE-2021-42576
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-42576
- https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/
- https://github.com/microcosm-cc/bluemonday/commit/c788a2a4d42e081ad54a31368478820bb4a42fb4
- https://pkg.go.dev/vuln/GO-2022-0588
- https://github.com/advisories/GHSA-x95h-979x-cf3j
Blast Radius: 0.0
Affected Packages
go:github.com/microcosm-cc/bluemonday
Dependent packages: 3,600Dependent repositories: 15,065
Downloads:
Affected Version Ranges: < 1.0.16
Fixed in: 1.0.16
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.15
All unaffected versions: 1.0.16, 1.0.17, 1.0.18, 1.0.19, 1.0.20, 1.0.21, 1.0.22, 1.0.23, 1.0.24, 1.0.25, 1.0.26
pypi:pybluemonday
Dependent packages: 0Dependent repositories: 74
Downloads: 8,867 last month
Affected Version Ranges: < 0.0.8
Fixed in: 0.0.8
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7
All unaffected versions: 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.0.12